Wednesday, March 4. 2009

This talk will introduce a new tool which allows attacks against Windows 7 via boot sectors. In this talk we will demo Vbootkit 2.0 in action and show how to bypass and circumvent security policies / architecture using customized boot sectors for Windows 7 (x64). The talk will cover:

Monday, May 19. 2008

This projects details the Internals/Implementaion of BitLocker Encryption system for Vista.
NVbit is a linux fuse driver to access Windows Vista's Bitlocker Volumes from linux, provided you have the right keys.A white-paper and supporting presentation is also available.The research was done around an year ago.Work was stopped prematurely,Don't expect things in clean/finished shape.The code is in alpha state.
Both the paper and presentation are incomplete draft versions. However, missing things can be referred from nvbit source code.NVbit allows read-only access.(Though writing can be done just in reverse order but still it doesn't exist for now).

Thursday, April 26. 2007

Nitin & Vipin: Vbootkit is much like a door or a shortcut to access vista's kernel.

A bootkit is a rootkit that is able to load from a boot-sectors (master
boot record, CD , PXE , floppies etc) and persist in memory all the way
through the transition to protected mode and the startup of the OS.

It's very small.The basic framework is just about 100 lines of assembly code.It supports 2000,XP,2003

It patches the kernel at runtime(no files are patched on disk).

BOOT KIT is PXE-compatible.

It can even lead to first ever PXE virus

It also enables you to load other root kits if you have physical access(Normally root kits can only be loaded by the administrator

The bootkit has been tested with a number of kernel mode shell codes such as Loading Native Applications and drivers from the shell code another shellcode ,which periodically raises every CMD.EXE to system privileges.

The Source code will contain 4 levels of BOOT KITs(showcasing different payloads)

Basic framework ( Kernel patching has to be done later on) ( available for download )

Privilege escalation framework(demonstrates creating new system threads and how to escalate privileges easily) (available for download)

Thursday, January 11. 2007

"How to load driver without touching registry from kernel mode", this is asked almost always. Today, I will give you an insight into how Windows loads its driver and then will document a new method to load a driver without touching registry.

This is required because even if you exploit kernel vulnerabilities ,you still cannot load any driver because almost all existing Antivirus solutions hijack the NTOSkrnl API's ( which let you write to specific registry locations, load drivers etc).

The first method to load driver is given below:

Windows NT loads drivers using the following function ZwLoadDriver.

Its declaration is as follows:

NTSTATUS ZwLoadDriver (IN PUNICODE_STRING DriverServiceName);

DriverServiceName: Pointer to a counted Unicode string that specifies a path to the driver's registry key, \Registry\Machine\System\CurrentControlSet\Services\DriverName, where DriverName is the name of the driver

The Second Method is given below:

After Windows 2000 start's up, It starts loading the special driver win2k.sys.It doesn't load in the traditional way (as all other drivers are loaded) by calling the following procedures ZwLoadDriver, NtLoadDriver etc.

It actually loads by the following kernel API ZwSetSystemInformation.

This API is used to set system information such as page file, loads the above driver, file cache( information working set) etc.

In Windbg,u can find the address of above function using "d MmLoadSystemImage" (of course ,symbols are required)

NOTE:- MmLoadSystemimage internally calls and checks the image after loading it into memory so make sure the checksum for the image is fine.This functionality is done by the MiCheckSystemImage.The import resolving job and dependency loading is done by MiResolveImageReferences API.

3) try to open file using Zwopenfile,if file cannot be opened,just return with error code
4) compute image checksum and match it with checksum stored in header
5) if checksum doesn't matches. return with error code
6) create a section with zwcreatesection and then reference it
7) map it into kernel space using mMapViewInSystemSpace
Cool if necessary apply relocations to image using function LdrRelocateImage
9) resolve refrences iusing MiResolveImageReferences
10) then create an entry in psmoduleloadedlist for the module
11) make it writeprotect
12) then close file handle
13) return from call

So, now we have a function which loads image in memory, but what about calling Driver Entry (entry point of driver). This information can be obtained from the PE headers itself after the image successfully loads in memory. This method has been and can used to load and execute drivers, native applications etc directly from kernel mode

Here is the assembly code (kernel mode assembly code). it has been tested on Windows XP SP0 English Version.After minor modifation code runs on win2k,xp,2k3 etc

NOTE: - These API's or functions are not exported by NTOSKRNL, but these exist for internal usage.These functions are not hooked by any anti-virus solutions, so these can be used to load drivers and native application and then run them.

That's all about loading a driver from kernel mode without touching registry.
Also,the code does some error checking,so as no hard error occurs.